Open Recursor Blocked

By Wouter Wijngaards

We have blocked an open recursive DNS nameserver running at NLnet Labs. This was due to abuse traffic, reflected traffic.

Two different types of abuse traffic were pointed at this server:

  • Queries of type ANY for large DNSSEC data. Sporadic bursts of about 3–5 qps, to one or two target IPv4 addresses at the same time.
  • Queries for NXDOMAIN responses, sporadic bursts of fairly low qps, with different query names for every query.

This is a low traffic volume. For a sizable Denial-Of-Service stream many more recursive resolvers must have been sent such query streams. The second type also has different query names for every query, which together with the low traffic volume would bypass RRL rate limiting.

A sample of the traffic with different query names:

Apr 10 23:08:12 : 192.x.x.x kelfmdaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:12 : 192.x.x.x fcbajpaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x iediclaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x pfkgckaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x fjcjbdaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x dcdefaaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x eemcblaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x ocadmmaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x gblhefaaaaerv0000diaaaaaaafaejam. A IN
Apr 10 23:08:13 : 192.x.x.x mmhjaaaaaaerv0000diaaaaaaafaejam. A IN

At NLnet Labs we host this open resolver for use by the dnssec-trigger project. It is used as one of the last fallback strategies for the retrieval of DNSSEC signed DNS data. The legitimate traffic is very low to this resolver, perhaps 1 qps. Dnssec-trigger is a project that helps enable DNSSEC validation on laptop and desktop computers. Dnssec-trigger probes the environment and selects a method to retrieve DNSSEC data, if possible it uses local methods, such as the DHCP supplied DNS resolver, or contacting the DNS servers on the internet over UDP. Therefore it does not contact the open resolver unless there is an alternative.

We have blocked UDP traffic for port 53 towards this open resolver. Other ports are left open so that the resolver can use UDP on other ports to retrieve DNS data from the internet itself. Dnssec-trigger uses the TCP and SSL ports for contacting this server, because if UDP works at some internet location, then dnssec-trigger uses that to contact different DNS servers.

The firewall rule that we enabled to block UDP traffic to port 53 on the open resolver:

broer = "{ 213.154.224.3, 2001:7b8:206:1:bb:: }"
block in quick on $ext_if proto { udp } from any to $broer port 53 no state

The open resolver cannot be contacted for queries on UDP, but remains usable on TCP, and on ports 80 and 443. This functionality is used by the dnssec-trigger project, so the resolver remains usable for DNSSEC deployment.